[Owasp-leaders] Are we helping Hackers or helping Application security?

Timothy D. Morgan tim.morgan at owasp.org
Fri May 20 17:02:24 UTC 2016

> Respectfully, and that you understand, I'm more than a ZAP fan. I
> contribute/promote this project . Don't get me wrong, ZAP is my favourite
> tool and I just feel like they have used something I care for bad purposes,
> like thieves that steals your car to commit a bank robbery.
> I think we need to at least incentive(not only financially) and motivate
> more research into defending applications. Our defender projects help but
> they are far out cry to really make a difference.

Ok, so we all agree tools are just tools and they can be used for good or
evil.  Let's put that behind us, yeah?

I think the point Johanna is making is that while there are a lot of offensive
tools in the OWASP lineup to help everyone *understand* what the security
problems are, there are fewer mature tools projects on the defense side to help
developers solve them.

Is that a problem?  Is it just the nature of the beast that our solutions on
the defense side involve more documentation, testing guides, and awareness
campaigns?  I'm actually not sure the answer to that.

What I do think, however, is that while technical frameworks designed for
defense are a great idea, they aren't going to be adopted by the
majority of developers who need it if they are developed as independent
libraries/modules/etc.  The developers who need it have never heard of OWASP,
and even if they have, they aren't sufficiently motivated to go out of their way
to integrate a security framework into their day-to-day development.  So I
don't think adding a bunch more defense tools is really the answer unless those
are somehow integrated into standard frameworks and development platforms.


More information about the OWASP-Leaders mailing list